CVE-2026-20262
published 2026-06-15CVE-2026-20262: A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or…
PriorityP186medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-29
Exploited in the wild
EPSS
7.68%
93.8th percentile
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.
This vulnerability exists because the affected software does not properly validate user-supplied input during a file upload process. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root. To exploit this vulnerability, the attacker must have valid credentials with at least a lower-privileged, single-task user account.
Affected
382 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | catalyst_sd-wan_manager | < 20.9.9.2 | 20.9.9.2 |
| cisco | catalyst_sd-wan_manager | >= 20.10 < 20.12.7.2 | 20.12.7.2 |
| cisco | catalyst_sd-wan_manager | >= 20.13 < 20.15.4.5 | 20.15.4.5 |
| cisco | catalyst_sd-wan_manager | >= 20.15.5 < 20.15.5.3 | 20.15.5.3 |
| cisco | catalyst_sd-wan_manager | >= 20.16 < 20.18.3.1 | 20.18.3.1 |
| cisco | catalyst_sd-wan_manager | >= 26.1 < 26.1.1.2 | 26.1.1.2 |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for crafted HTTP requests targeting file upload API endpoints on Cisco Catalyst SD-WAN Manager (formerly vManage), which may indicate exploitation of the arbitrary file write vulnerability. ↗
- →CVE-2026-20262 is confirmed under active exploitation in the wild; prioritize detection and forensic triage on internet-exposed Cisco Catalyst SD-WAN Manager instances. ↗
- →Monitor for unexpected file creation or file overwrites on the underlying OS of Cisco Catalyst SD-WAN Manager, as a successful exploit allows creation or overwrite of any file, which may later be leveraged for privilege escalation to root. ↗
- →Exploitation requires authenticated access with at least a lower-privileged, single-task user account; audit SD-WAN Manager authentication logs for anomalous low-privilege account activity followed by file upload API calls. ↗
- →The vulnerability is classified as a directory or path traversal flaw; inspect HTTP request logs for path traversal patterns (e.g., ../, %2e%2e%2f) in file upload API requests to SD-WAN Manager. ↗
- ·CISA BOD 26-04 forensic triage requirements apply to this CVE; organizations must follow the linked forensics triage guidance in addition to patching. ↗
- ·CISA remediation due date for CVE-2026-20262 is 2026-06-29; organizations subject to BOD 26-04 must patch by this date. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an af
ghsa_unreviewed·2026-06-15
CVE-2026-20262 [MEDIUM] CWE-22 A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an af
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.
This vulnerability exists because the affected software does not properly validate user-supplied input during a file upload process. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root. To exploit this vulnerability, the attacker must have valid credentials with at least a lower-privileged, single-task user account.
VulDB
Cisco Catalyst SD-WAN Manager up to 26.1.1_LI_Images API Endpoint path traversal (cisco-sa-sdwan-arbfw-c2rZvQ)
vuldb·2026-06-15·CVSS 6.5
CVE-2026-20262 [MEDIUM] Cisco Catalyst SD-WAN Manager up to 26.1.1_LI_Images API Endpoint path traversal (cisco-sa-sdwan-arbfw-c2rZvQ)
A vulnerability has been found in Cisco Catalyst SD-WAN Manager and classified as critical. This affects an unknown part of the component API Endpoint. This manipulation causes path traversal.
This vulnerability appears as CVE-2026-20262. The attack may be initiated remotely. In addition, an exploit is available.
The affected component should be upgraded.
VulnCheck
Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
vulncheck·2026·CVSS 6.5
CVE-2026-20262 [MEDIUM] CWE-22 Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
Cisco Catalyst SD-WAN Manager contains a directory or path traversal vulnerability that could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.
Affected: Cisco Catalyst SD-WAN Manager
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence
CISA
Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
cisa·2026-06-15·CVSS 6.5
CVE-2026-20262 [MEDIUM] CWE-22 Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
Vulnerability: Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
Affected: Cisco Catalyst SD-WAN Manager
Cisco Catalyst SD-WAN Manager contains a directory or path traversal vulnerability that could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensu
No detection rules found.
No public exploits indexed.
Hackernews
Cisco Unified CM Flaw Exploited After PoC Reveals File-Write Path to Root
blogs_hackernews·2026-06-24·CVSS 8.6
CVE-2026-20230 [HIGH] Cisco Unified CM Flaw Exploited After PoC Reveals File-Write Path to Root
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Cisco Unified CM Flaw Exploited After PoC Reveals File-Write Path to Root
Threat actors have begun to exploit a recently disclosed critical security flaw impacting Cisco Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME).
The vulnerability, tracked as CVE-2026-20230 (CVSS score: 8.6), is a case of improper input validation for specific HTTP requests that could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device.
"An attacker could exploit this vulnerability by sending a crafted HTTP
Checkpoint
22nd June – Threat Intelligence Report
blogs_checkpoint·2026-06-22
CVE-2026-42824 22nd June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 22nd June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 22nd June, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Texas Parks and Wildlife Department has been affected by a third-party data breach involving its license system vendor. The incident exposed driver’s license information, passport numbers, emails, phone numbers, and residential addresses for 3,087,721 hunting and fishing license customers. Social Security numbers and payment dat
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
Hackernews
Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw
blogs_hackernews·2026-06-16·CVSS 6.5
CVE-2026-20262 [MEDIUM] Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw
Cisco has released security updates for a medium-severity security flaw in Catalyst SD-WAN Manager that has come under active exploitation in the wild.
The vulnerability, tracked as CVE-2026-20262 , carries a CVSS score of 6.5 out of 10.0.
"A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system," Cisco said in an advisory.
The issue, the networking equipment company added, stems from inadequat
Bleepingcomputer
Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks
blogs_bleepingcomputer·2026-06-15·CVSS 6.5
CVE-2026-20262 [MEDIUM] Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks
## Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks
## Sergiu Gatlan
Cisco has released security updates to address a vulnerability in the Catalyst SD-WAN Manager, tracked as CVE-2026-20262, that was exploited in attacks to escalate to root privileges.
Formerly known as SD-WAN vManage, this network management software allows admins to manage up to 6,000 SD-WAN devices from a single dashboard.
The now-patched zero-day security flaw affects all deployment types, regardless of device configuration, including on-prem deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).
Cisco said the issue stems from insufficient validation of user-supplied input during file uploads, which can allow low-privilege remote attackers
2026-06-15
Published
2026-06-15
Added to CISA KEV
Exploited in the wild